reskill 1.14.0 → 1.16.0-beta.0

package/dist/cli/index.js

@@ -5237,6 +5237,133 @@ class RegistryResolver {
     }
     return false;
 }
+/**
+ * AuthManager - Handle authentication token management
+ *
+ * Manages tokens for registry authentication.
+ * Tokens are stored in ~/.reskillrc or via RESKILL_TOKEN environment variable.
+ */ // ============================================================================
+// Constants
+// ============================================================================
+const CONFIG_FILE_NAME = '.reskillrc';
+// ============================================================================
+// AuthManager Class
+// ============================================================================
+class AuthManager {
+    configPath;
+    constructor(){
+        const home = process.env.HOME || process.env.USERPROFILE || '';
+        this.configPath = __WEBPACK_EXTERNAL_MODULE_node_path__.join(home, CONFIG_FILE_NAME);
+    }
+    /**
+   * Get the default registry URL from environment variable
+   *
+   * Returns undefined if no registry is configured - there is no hardcoded default
+   * to prevent accidental publishing to unintended registries.
+   */ getDefaultRegistry() {
+        return process.env.RESKILL_REGISTRY;
+    }
+    /**
+   * Get path to config file
+   */ getConfigPath() {
+        return this.configPath;
+    }
+    /**
+   * Get token for a registry
+   *
+   * Priority:
+   * 1. RESKILL_TOKEN environment variable
+   * 2. Token from ~/.reskillrc for the specified registry
+   */ getToken(registry) {
+        // Check environment variable first
+        const envToken = process.env.RESKILL_TOKEN;
+        if (envToken) return envToken;
+        // Read from config file
+        const config = this.readConfig();
+        if (!config?.registries) return;
+        const targetRegistry = registry || this.getDefaultRegistry();
+        if (!targetRegistry) return;
+        const auth = config.registries[targetRegistry];
+        return auth?.token;
+    }
+    /**
+   * Check if token exists for a registry
+   */ hasToken(registry) {
+        return void 0 !== this.getToken(registry);
+    }
+    /**
+   * Get email for a registry
+   */ getEmail(registry) {
+        const config = this.readConfig();
+        if (!config?.registries) return;
+        const targetRegistry = registry || this.getDefaultRegistry();
+        if (!targetRegistry) return;
+        const auth = config.registries[targetRegistry];
+        return auth?.email;
+    }
+    /**
+   * Get handle for a registry
+   */ getHandle(registry) {
+        const config = this.readConfig();
+        if (!config?.registries) return;
+        const targetRegistry = registry || this.getDefaultRegistry();
+        if (!targetRegistry) return;
+        const auth = config.registries[targetRegistry];
+        return auth?.handle;
+    }
+    /**
+   * Set token for a registry
+   *
+   * Note: When no registry is specified and RESKILL_REGISTRY env var is not set,
+   * this method will throw an error. The calling code should ensure a registry
+   * is always provided (either explicitly or via environment variable).
+   */ setToken(token, registry, email, handle) {
+        const config = this.readConfig() || {};
+        const targetRegistry = registry || this.getDefaultRegistry();
+        if (!targetRegistry) throw new Error('No registry specified. Set RESKILL_REGISTRY environment variable or provide registry explicitly.');
+        if (!config.registries) config.registries = {};
+        config.registries[targetRegistry] = {
+            token,
+            ...email && {
+                email
+            },
+            ...handle && {
+                handle
+            }
+        };
+        this.writeConfig(config);
+    }
+    /**
+   * Remove token for a registry
+   */ removeToken(registry) {
+        const config = this.readConfig();
+        if (!config?.registries) return;
+        const targetRegistry = registry || this.getDefaultRegistry();
+        if (!targetRegistry) return;
+        delete config.registries[targetRegistry];
+        this.writeConfig(config);
+    }
+    /**
+   * Read config file
+   */ readConfig() {
+        try {
+            if (!external_node_fs_.existsSync(this.configPath)) return null;
+            const content = external_node_fs_.readFileSync(this.configPath, 'utf-8');
+            if (!content.trim()) return null;
+            return JSON.parse(content);
+        } catch  {
+            return null;
+        }
+    }
+    /**
+   * Write config file
+   */ writeConfig(config) {
+        const content = JSON.stringify(config, null, 2);
+        external_node_fs_.writeFileSync(this.configPath, content, {
+            mode: 384
+        });
+    }
+}
 /**
  * Get status icon
  */ function getStatusIcon(status) {
@@ -5444,6 +5571,73 @@ class RegistryResolver {
         hint: 'For private repos, add SSH key: ssh-keygen -t ed25519'
     };
 }
+/**
+ * Valid install modes
+ *
+ * Must stay in sync with InstallMode type from installer.ts ('symlink' | 'copy').
+ * TypeScript literal union types are erased at runtime, so we maintain this list manually.
+ */ const VALID_INSTALL_MODES = [
+    'symlink',
+    'copy'
+];
+/**
+ * Check registry authentication status
+ *
+ * Verifies actual token availability, not just file existence.
+ * Uses AuthManager.getToken() which checks RESKILL_TOKEN env first,
+ * then reads ~/.reskillrc for the configured registry.
+ */ function checkAuthStatus() {
+    const hasEnvToken = !!process.env.RESKILL_TOKEN;
+    if (hasEnvToken) return {
+        name: 'Registry auth',
+        status: 'ok',
+        message: 'RESKILL_TOKEN set'
+    };
+    // Check if ~/.reskillrc has any valid tokens
+    const authManager = new AuthManager();
+    const configPath = authManager.getConfigPath();
+    if (!(0, external_node_fs_.existsSync)(configPath)) return {
+        name: 'Registry auth',
+        status: 'warn',
+        message: 'no token configured',
+        hint: 'Run: reskill login (needed for publish and private skills)'
+    };
+    // File exists — check if it actually contains a token for any registry
+    const hasToken = authManager.hasToken();
+    if (hasToken) return {
+        name: 'Registry auth',
+        status: 'ok',
+        message: 'token configured via ~/.reskillrc'
+    };
+    return {
+        name: 'Registry auth',
+        status: 'warn',
+        message: '~/.reskillrc exists but no token found for current registry',
+        hint: 'Run: reskill login (needed for publish and private skills)'
+    };
+}
+/**
+ * Check environment variables used by reskill
+ *
+ * Security: Only report variable names, never values.
+ * RESKILL_TOKEN contains a secret and must not be displayed.
+ */ function checkEnvVars() {
+    // Only collect names, never values (RESKILL_TOKEN is a secret)
+    const vars = [];
+    if (process.env.RESKILL_TOKEN) vars.push('RESKILL_TOKEN');
+    if (process.env.RESKILL_REGISTRY) vars.push('RESKILL_REGISTRY');
+    if (process.env.RESKILL_CACHE_DIR) vars.push('RESKILL_CACHE_DIR');
+    if (0 === vars.length) return {
+        name: 'Environment vars',
+        status: 'ok',
+        message: 'none set'
+    };
+    return {
+        name: 'Environment vars',
+        status: 'ok',
+        message: `${vars.join(', ')} set`
+    };
+}
 /**
  * Check cache directory
  */ function checkCacheDir() {
@@ -5535,12 +5729,21 @@ class RegistryResolver {
     try {
         const config = configLoader.load();
         const registries = config.registries || {};
-        for (const name of Object.keys(registries))if (RESERVED_REGISTRIES.includes(name.toLowerCase())) results.push({
-            name: 'Registry conflict',
-            status: 'warn',
-            message: `"${name}" overrides built-in registry`,
-            hint: 'Consider using a different name for custom registries'
-        });
+        for (const [name, url] of Object.entries(registries)){
+            if (RESERVED_REGISTRIES.includes(name.toLowerCase())) results.push({
+                name: 'Registry conflict',
+                status: 'warn',
+                message: `"${name}" overrides built-in registry`,
+                hint: 'Consider using a different name for custom registries'
+            });
+            // Validate URL format
+            if ('string' == typeof url && !/^https?:\/\//.test(url)) results.push({
+                name: 'Invalid registry URL',
+                status: 'error',
+                message: `"${name}": "${url}" is not a valid URL`,
+                hint: 'Registry URLs must start with http:// or https://'
+            });
+        }
     } catch  {
     // Ignore parse errors, handled by checkSkillsJson
     }
@@ -5575,6 +5778,46 @@ class RegistryResolver {
     }
     return null;
 }
+/**
+ * Check for invalid installMode configuration
+ */ function checkInstallMode(cwd) {
+    const configLoader = new ConfigLoader(cwd);
+    if (!configLoader.exists()) return null;
+    try {
+        const defaults = configLoader.getDefaults();
+        const installMode = defaults.installMode;
+        if (!installMode) return null;
+        if (!VALID_INSTALL_MODES.includes(installMode)) return {
+            name: 'Invalid installMode',
+            status: 'error',
+            message: `"${installMode}" is not a valid install mode`,
+            hint: 'Valid values: symlink, copy'
+        };
+    } catch  {
+    // Ignore parse errors
+    }
+    return null;
+}
+/**
+ * Check for invalid publishRegistry configuration
+ */ function checkPublishRegistry(cwd) {
+    const configLoader = new ConfigLoader(cwd);
+    if (!configLoader.exists()) return null;
+    try {
+        const defaults = configLoader.getDefaults();
+        const publishRegistry = defaults.publishRegistry;
+        if (!publishRegistry) return null;
+        if (!/^https?:\/\//.test(publishRegistry)) return {
+            name: 'Invalid publishRegistry',
+            status: 'warn',
+            message: `"${publishRegistry}" is not a valid URL`,
+            hint: 'publishRegistry must start with http:// or https://'
+        };
+    } catch  {
+    // Ignore parse errors
+    }
+    return null;
+}
 /**
  * Check for invalid targetAgents configuration
  */ function checkTargetAgents(cwd) {
@@ -5711,6 +5954,15 @@ class RegistryResolver {
             hint: 'Run: reskill install'
         };
     }
+    // Check lockfile version compatibility before sync check
+    // If version is unsupported, sync results would be meaningless
+    const lockData = lockManager.load();
+    if (lockData.lockfileVersion !== LOCKFILE_VERSION) return {
+        name: 'skills.lock',
+        status: 'warn',
+        message: `unsupported lockfile version: ${lockData.lockfileVersion}`,
+        hint: 'Run: reskill install to regenerate'
+    };
     // Check if lock is in sync with config
     const configSkills = configLoader.getSkills();
     const lockedSkills = lockManager.getAll();
@@ -5821,6 +6073,66 @@ class RegistryResolver {
     }
     return results;
 }
+/**
+ * Check detected agents
+ */ async function checkDetectedAgents() {
+    try {
+        const installed = await detectInstalledAgents();
+        if (0 === installed.length) return {
+            name: 'Detected agents',
+            status: 'ok',
+            message: 'none detected'
+        };
+        return {
+            name: 'Detected agents',
+            status: 'ok',
+            message: `${installed.length} detected: ${installed.join(', ')}`
+        };
+    } catch  {
+        return {
+            name: 'Detected agents',
+            status: 'warn',
+            message: 'detection failed'
+        };
+    }
+}
+/**
+ * Normalize a URL to its origin for comparison.
+ * Handles trailing slashes and case differences (e.g., GITHUB.COM → github.com).
+ */ function normalizeUrlOrigin(url) {
+    try {
+        return new URL(url).origin;
+    } catch  {
+        return url;
+    }
+}
+/**
+ * Get custom registry URLs for network checks
+ *
+ * Reads registries from skills.json and publishRegistry,
+ * excluding built-in github.com/gitlab.com and deduplicating.
+ */ function getCustomRegistryUrls(cwd) {
+    const urls = new Set();
+    const builtinOrigins = new Set(Object.values(DEFAULT_REGISTRIES).map((u)=>normalizeUrlOrigin(u)));
+    try {
+        const configLoader = new ConfigLoader(cwd);
+        if (!configLoader.exists()) return [];
+        // Collect custom registry URLs
+        const config = configLoader.load();
+        const registries = config.registries || {};
+        for (const url of Object.values(registries))if ('string' == typeof url && /^https?:\/\//.test(url) && !builtinOrigins.has(normalizeUrlOrigin(url))) urls.add(url);
+        // Collect publishRegistry
+        const defaults = configLoader.getDefaults();
+        if (defaults.publishRegistry && /^https?:\/\//.test(defaults.publishRegistry)) {
+            if (!builtinOrigins.has(normalizeUrlOrigin(defaults.publishRegistry))) urls.add(defaults.publishRegistry);
+        }
+    } catch  {
+    // Ignore errors
+    }
+    return [
+        ...urls
+    ];
+}
 /**
  * Check network connectivity
  */ async function checkNetwork(host) {
@@ -5867,23 +6179,32 @@ class RegistryResolver {
  */ async function runDoctorChecks(options) {
     const { cwd, packageName, packageVersion, skipNetwork, skipConfigChecks } = options;
     const results = [];
-    // Version checks
+    // Environment checks
     results.push(await checkReskillVersion(packageVersion, packageName));
     results.push(checkNodeVersion());
     results.push(checkGitVersion());
     results.push(checkGitAuth());
+    results.push(checkAuthStatus());
+    results.push(checkEnvVars());
     // Directory checks
     results.push(checkCacheDir());
     results.push(checkSkillsJson(cwd));
     results.push(checkSkillsLock(cwd));
     results.push(...checkInstalledSkills(cwd));
+    results.push(await checkDetectedAgents());
     // Deep config checks (can be skipped for faster checks)
     if (!skipConfigChecks) {
-        // Registry conflicts
+        // Registry conflicts + URL validation
         results.push(...checkRegistryConflicts(cwd));
         // installDir validation
         const installDirCheck = checkInstallDir(cwd);
         if (installDirCheck) results.push(installDirCheck);
+        // installMode validation
+        const installModeCheck = checkInstallMode(cwd);
+        if (installModeCheck) results.push(installModeCheck);
+        // publishRegistry validation
+        const publishRegistryCheck = checkPublishRegistry(cwd);
+        if (publishRegistryCheck) results.push(publishRegistryCheck);
         // targetAgents validation
         results.push(...checkTargetAgents(cwd));
         // Skill reference format validation
@@ -5895,6 +6216,9 @@ class RegistryResolver {
     if (!skipNetwork) {
         results.push(await checkNetwork('https://github.com'));
         results.push(await checkNetwork('https://gitlab.com'));
+        // Custom registry connectivity
+        const customUrls = getCustomRegistryUrls(cwd);
+        for (const url of customUrls)results.push(await checkNetwork(url));
     }
     return results;
 }
@@ -6191,133 +6515,6 @@ const DEFAULT_INSTALL_DIR = '.skills';
     // Display summary (use options.installDir directly since we just set it)
     displayConfigSummary(options.installDir);
 });
-/**
- * AuthManager - Handle authentication token management
- *
- * Manages tokens for registry authentication.
- * Tokens are stored in ~/.reskillrc or via RESKILL_TOKEN environment variable.
- */ // ============================================================================
-// Constants
-// ============================================================================
-const CONFIG_FILE_NAME = '.reskillrc';
-// ============================================================================
-// AuthManager Class
-// ============================================================================
-class AuthManager {
-    configPath;
-    constructor(){
-        const home = process.env.HOME || process.env.USERPROFILE || '';
-        this.configPath = __WEBPACK_EXTERNAL_MODULE_node_path__.join(home, CONFIG_FILE_NAME);
-    }
-    /**
-   * Get the default registry URL from environment variable
-   *
-   * Returns undefined if no registry is configured - there is no hardcoded default
-   * to prevent accidental publishing to unintended registries.
-   */ getDefaultRegistry() {
-        return process.env.RESKILL_REGISTRY;
-    }
-    /**
-   * Get path to config file
-   */ getConfigPath() {
-        return this.configPath;
-    }
-    /**
-   * Get token for a registry
-   *
-   * Priority:
-   * 1. RESKILL_TOKEN environment variable
-   * 2. Token from ~/.reskillrc for the specified registry
-   */ getToken(registry) {
-        // Check environment variable first
-        const envToken = process.env.RESKILL_TOKEN;
-        if (envToken) return envToken;
-        // Read from config file
-        const config = this.readConfig();
-        if (!config?.registries) return;
-        const targetRegistry = registry || this.getDefaultRegistry();
-        if (!targetRegistry) return;
-        const auth = config.registries[targetRegistry];
-        return auth?.token;
-    }
-    /**
-   * Check if token exists for a registry
-   */ hasToken(registry) {
-        return void 0 !== this.getToken(registry);
-    }
-    /**
-   * Get email for a registry
-   */ getEmail(registry) {
-        const config = this.readConfig();
-        if (!config?.registries) return;
-        const targetRegistry = registry || this.getDefaultRegistry();
-        if (!targetRegistry) return;
-        const auth = config.registries[targetRegistry];
-        return auth?.email;
-    }
-    /**
-   * Get handle for a registry
-   */ getHandle(registry) {
-        const config = this.readConfig();
-        if (!config?.registries) return;
-        const targetRegistry = registry || this.getDefaultRegistry();
-        if (!targetRegistry) return;
-        const auth = config.registries[targetRegistry];
-        return auth?.handle;
-    }
-    /**
-   * Set token for a registry
-   *
-   * Note: When no registry is specified and RESKILL_REGISTRY env var is not set,
-   * this method will throw an error. The calling code should ensure a registry
-   * is always provided (either explicitly or via environment variable).
-   */ setToken(token, registry, email, handle) {
-        const config = this.readConfig() || {};
-        const targetRegistry = registry || this.getDefaultRegistry();
-        if (!targetRegistry) throw new Error('No registry specified. Set RESKILL_REGISTRY environment variable or provide registry explicitly.');
-        if (!config.registries) config.registries = {};
-        config.registries[targetRegistry] = {
-            token,
-            ...email && {
-                email
-            },
-            ...handle && {
-                handle
-            }
-        };
-        this.writeConfig(config);
-    }
-    /**
-   * Remove token for a registry
-   */ removeToken(registry) {
-        const config = this.readConfig();
-        if (!config?.registries) return;
-        const targetRegistry = registry || this.getDefaultRegistry();
-        if (!targetRegistry) return;
-        delete config.registries[targetRegistry];
-        this.writeConfig(config);
-    }
-    /**
-   * Read config file
-   */ readConfig() {
-        try {
-            if (!external_node_fs_.existsSync(this.configPath)) return null;
-            const content = external_node_fs_.readFileSync(this.configPath, 'utf-8');
-            if (!content.trim()) return null;
-            return JSON.parse(content);
-        } catch  {
-            return null;
-        }
-    }
-    /**
-   * Write config file
-   */ writeConfig(config) {
-        const content = JSON.stringify(config, null, 2);
-        external_node_fs_.writeFileSync(this.configPath, content, {
-            mode: 384
-        });
-    }
-}
 // ============================================================================
 // Utility Functions
 // ============================================================================
@@ -7876,6 +8073,344 @@ class SkillValidator {
         return `sha256-${hash.digest('hex')}`;
     }
 }
+/**
+ * ContentScanner - Detect malicious patterns in SKILL.md content
+ *
+ * Features:
+ * - Context-aware: skips safe zones (frontmatter, code blocks, quotes, blockquotes)
+ * - 6 built-in detection rules across 3 risk levels
+ * - Configurable: override levels, disable rules, add custom rules
+ * - Pure string operations in scan() — no fs dependency, suitable for server use
+ * - scanFile() convenience method for CLI use
+ */ // ============================================================================
+// Safe Zone Masking
+// ============================================================================
+/**
+ * Mask safe zones in Markdown content with spaces, preserving line structure.
+ *
+ * Safe zones (content replaced with spaces):
+ * - YAML frontmatter (`---` ... `---` at file start)
+ * - Fenced code blocks (``` or ~~~)
+ * - Indented code blocks (4 spaces / tab after blank line)
+ * - Blockquotes (`> ` prefix)
+ * - Inline code (`` `...` ``)
+ * - Double-quoted text (`"..."`, min 3 chars between quotes)
+ *
+ * Line breaks are preserved so line numbers remain correct.
+ */ function maskSafeZones(content) {
+    const lines = content.split('\n');
+    const result = [];
+    let inFrontmatter = false;
+    let inFencedCode = false;
+    let fenceChar = '';
+    let fenceLength = 0;
+    let prevLineBlank = false;
+    let prevLineIndentedCode = false;
+    for(let i = 0; i < lines.length; i++){
+        const line = lines[i];
+        // --- YAML Frontmatter (only at file start) ---
+        if (0 === i && '---' === line.trim()) {
+            inFrontmatter = true;
+            result.push(maskLine(line));
+            continue;
+        }
+        if (inFrontmatter) {
+            result.push(maskLine(line));
+            if ('---' === line.trim()) inFrontmatter = false;
+            continue;
+        }
+        // --- Fenced code blocks (``` or ~~~) ---
+        const fenceMatch = line.match(/^(`{3,}|~{3,})/);
+        if (!inFencedCode && fenceMatch) {
+            inFencedCode = true;
+            fenceChar = fenceMatch[1][0];
+            fenceLength = fenceMatch[1].length;
+            result.push(maskLine(line));
+            prevLineBlank = false;
+            prevLineIndentedCode = false;
+            continue;
+        }
+        if (inFencedCode) {
+            result.push(maskLine(line));
+            const closeMatch = line.match(/^(`{3,}|~{3,})\s*$/);
+            if (closeMatch && closeMatch[1][0] === fenceChar && closeMatch[1].length >= fenceLength) inFencedCode = false;
+            prevLineBlank = false;
+            prevLineIndentedCode = false;
+            continue;
+        }
+        // --- Blockquote ---
+        if (/^>\s?/.test(line)) {
+            result.push(maskLine(line));
+            prevLineBlank = false;
+            prevLineIndentedCode = false;
+            continue;
+        }
+        // --- Indented code block (4 spaces or tab, after blank line) ---
+        if (/^(?:    |\t)/.test(line) && (prevLineBlank || prevLineIndentedCode)) {
+            result.push(maskLine(line));
+            prevLineBlank = false;
+            prevLineIndentedCode = true;
+            continue;
+        }
+        // --- Normal line: mask inline code and double-quoted text ---
+        result.push(maskInline(line));
+        prevLineBlank = '' === line.trim();
+        prevLineIndentedCode = false;
+    }
+    return result.join('\n');
+}
+/** Replace all characters in a line with spaces (preserving length) */ function maskLine(line) {
+    return ' '.repeat(line.length);
+}
+/**
+ * Mask inline code (`` `...` ``) and double-quoted text (`"..."`) within a line.
+ * Uses regex replacement for efficiency (avoids char-by-char concatenation on long lines).
+ * Single quotes are NOT masked to avoid false matches with apostrophes.
+ */ function maskInline(line) {
+    let result = line;
+    // Inline code: `...`
+    result = result.replace(/`[^`]+`/g, (m)=>' '.repeat(m.length));
+    // Double-quoted text: "..." (min 3 chars between quotes)
+    result = result.replace(/"[^"]{3,}"/g, (m)=>' '.repeat(m.length));
+    return result;
+}
+// ============================================================================
+// Rule Helpers
+// ============================================================================
+/** Find lines matching any of the given patterns, return one match per line */ function findLineMatches(content, patterns) {
+    const lines = content.split('\n');
+    const matches = [];
+    for(let i = 0; i < lines.length; i++)for (const pattern of patterns)if (pattern.test(lines[i])) {
+        matches.push({
+            line: i + 1
+        });
+        break;
+    }
+    return matches;
+}
+// ============================================================================
+// Default Rules
+// ============================================================================
+const SNIPPET_MAX_LENGTH = 120;
+/** Built-in detection rules */ const DEFAULT_RULES = [
+    // Rule 1: Prompt Injection (high)
+    {
+        id: 'prompt-injection',
+        level: 'high',
+        message: 'Detected prompt injection attempt',
+        skipSafeZones: true,
+        check: (content)=>findLineMatches(content, [
+                /ignore\s+(all\s+)?previous\s+instructions/i,
+                /disregard\s+(all\s+)?(prior|previous|above)\s+(instructions|rules|context)/i,
+                /you\s+are\s+now\s+/i,
+                /from\s+now\s+on[,\s]+you\s+are/i,
+                /new\s+system\s+prompt/i,
+                /override\s+(your|the)\s+(system|safety|security)\s+(prompt|rules|instructions)/i,
+                /forget\s+(?:all\s+)?(?:your\s+)?(?:previous\s+|prior\s+)?(?:instructions|rules|constraints)/i,
+                /entering\s+(a\s+)?new\s+(mode|context|session)/i
+            ])
+    },
+    // Rule 2: Data Exfiltration (high)
+    {
+        id: 'data-exfiltration',
+        level: 'high',
+        message: 'Detected potential data exfiltration command',
+        skipSafeZones: true,
+        check: (content)=>{
+            const lines = content.split('\n');
+            const matches = [];
+            const commandPattern = /\b(curl|wget|fetch|http\.post|requests\.post|nc\b|ncat|netcat)\b/i;
+            const sensitivePattern = /(\$[A-Z_]*(?:KEY|TOKEN|SECRET|PASSWORD|CREDENTIAL|AUTH)[A-Z_]*|\$ENV\b|\$\{[^}]*(?:KEY|TOKEN|SECRET|PASSWORD|CREDENTIAL)[^}]*\})/i;
+            for(let i = 0; i < lines.length; i++)if (commandPattern.test(lines[i]) && sensitivePattern.test(lines[i])) matches.push({
+                line: i + 1
+            });
+            return matches;
+        }
+    },
+    // Rule 3: Content Obfuscation (high) — scans ALL content including safe zones
+    {
+        id: 'obfuscation',
+        level: 'high',
+        message: 'Detected content obfuscation',
+        skipSafeZones: false,
+        check: (content)=>{
+            const matches = [];
+            const lines = content.split('\n');
+            // Zero-width characters (suspicious in any context)
+            const zeroWidthPattern = /[\u200B\u200C\u200D\uFEFF\u2060\u180E]/;
+            for(let i = 0; i < lines.length; i++)if (zeroWidthPattern.test(lines[i])) matches.push({
+                line: i + 1,
+                snippet: 'Zero-width Unicode characters detected'
+            });
+            // Long base64-like strings (>200 continuous chars)
+            const base64Pattern = /[A-Za-z0-9+/=]{200,}/;
+            for(let i = 0; i < lines.length; i++)if (base64Pattern.test(lines[i])) matches.push({
+                line: i + 1,
+                snippet: 'Suspicious base64-encoded block detected'
+            });
+            // Large HTML comments (>200 chars of content)
+            const commentRegex = /<!--([\s\S]{200,}?)-->/g;
+            let match;
+            // biome-ignore lint/suspicious/noAssignInExpressions: standard regex exec loop
+            while(null !== (match = commentRegex.exec(content))){
+                const lineNum = content.slice(0, match.index).split('\n').length;
+                matches.push({
+                    line: lineNum,
+                    snippet: `Large HTML comment block (${match[1].length} chars)`
+                });
+            }
+            return matches;
+        }
+    },
+    // Rule 4: Sensitive File Access (medium)
+    {
+        id: 'sensitive-file-access',
+        level: 'medium',
+        message: 'References sensitive file path',
+        skipSafeZones: true,
+        check: (content)=>findLineMatches(content, [
+                /~\/\.ssh\b/,
+                /~\/\.aws\b/,
+                /~\/\.gnupg\b/,
+                /~\/\.config\/gcloud\b/,
+                /\bid_rsa\b/i,
+                /\bid_ed25519\b/i,
+                /\/etc\/passwd\b/,
+                /\/etc\/shadow\b/,
+                /\.env\b(?!\.\w)/
+            ])
+    },
+    // Rule 5: Stealth Instructions (medium) — phrase + action verb matching
+    {
+        id: 'stealth-instructions',
+        level: 'medium',
+        message: 'Detected instruction to hide actions from user',
+        skipSafeZones: true,
+        check: (content)=>{
+            const actionVerbs = 'execute|delete|remove|send|transmit|modify|overwrite|install|download|upload|run|write|create|destroy|drop';
+            const patterns = [
+                new RegExp(`silently\\s+(?:${actionVerbs})`, 'i'),
+                new RegExp(`without\\s+telling\\s+the\\s+user.{0,30}(?:${actionVerbs})`, 'i'),
+                new RegExp("(?:do\\s+not|don'?t)\\s+show\\s+.{0,40}(?:to\\s+the\\s+user|to\\s+user)", 'i'),
+                new RegExp("hide\\s+(?:this|the|these|all)\\s+.{0,30}(?:from\\s+the\\s+user|from\\s+user)", 'i'),
+                new RegExp("(?:do\\s+not|don'?t)\\s+mention\\s+.{0,30}(?:to\\s+the\\s+user|to\\s+user)", 'i'),
+                new RegExp("keep\\s+(?:this|it)\\s+(?:a\\s+)?secret\\s+from\\s+(?:the\\s+)?user", 'i')
+            ];
+            // Safe patterns to exclude (common in legitimate DevOps/automation skills)
+            const safePatterns = [
+                /silently\s+(?:ignore|skip|fail|discard|suppress|continue|pass|drop|swallow)/i
+            ];
+            const lines = content.split('\n');
+            const matches = [];
+            for(let i = 0; i < lines.length; i++){
+                const line = lines[i];
+                if (!safePatterns.some((p)=>p.test(line))) {
+                    for (const pattern of patterns)if (pattern.test(line)) {
+                        matches.push({
+                            line: i + 1
+                        });
+                        break;
+                    }
+                }
+            }
+            return matches;
+        }
+    },
+    // Rule 6: Oversized Content (low) — scans ALL content
+    {
+        id: 'oversized-content',
+        level: 'low',
+        message: 'Content exceeds recommended size limit',
+        skipSafeZones: false,
+        check: (content)=>{
+            const MAX_SIZE_BYTES = 51200;
+            const sizeBytes = Buffer.byteLength(content, 'utf-8');
+            if (sizeBytes > MAX_SIZE_BYTES) return [
+                {
+                    snippet: `Content size: ${(sizeBytes / 1024).toFixed(1)}KB (limit: 50KB)`
+                }
+            ];
+            return [];
+        }
+    }
+];
+// ============================================================================
+// ContentScanner
+// ============================================================================
+/** Build the effective rule set from defaults + options */ function buildRuleSet(options) {
+    let rules = DEFAULT_RULES.map((r)=>({
+            ...r
+        }));
+    if (options?.disabledRules?.length) {
+        const disabled = new Set(options.disabledRules);
+        rules = rules.filter((r)=>!disabled.has(r.id));
+    }
+    if (options?.overrides) for (const rule of rules){
+        const override = options.overrides[rule.id];
+        if (override) rule.level = override;
+    }
+    if (options?.customRules?.length) rules.push(...options.customRules);
+    return rules;
+}
+/**
+ * Content scanner for SKILL.md files.
+ *
+ * Detects prompt injection, data exfiltration, obfuscation, sensitive file
+ * access, stealth instructions, and oversized content.
+ *
+ * @example
+ * ```typescript
+ * // Default usage (CLI)
+ * const scanner = new ContentScanner();
+ * const result = scanner.scan(content);
+ *
+ * // Custom usage (private registry server)
+ * const scanner = new ContentScanner({
+ *   overrides: { 'prompt-injection': 'medium' },
+ *   disabledRules: ['stealth-instructions'],
+ * });
+ * ```
+ */ class ContentScanner {
+    rules;
+    constructor(options){
+        this.rules = buildRuleSet(options);
+    }
+    /**
+   * Scan content string for malicious patterns.
+   * Pure string operation — no file system access.
+   */ scan(content) {
+        const originalLines = content.split('\n');
+        const maskedContent = maskSafeZones(content);
+        const findings = [];
+        for (const rule of this.rules){
+            const targetContent = rule.skipSafeZones ? maskedContent : content;
+            const matches = rule.check(targetContent);
+            for (const match of matches){
+                // Use custom snippet if provided, otherwise generate from original content
+                const snippet = match.snippet ?? (null != match.line ? originalLines[match.line - 1]?.trim().slice(0, SNIPPET_MAX_LENGTH) : void 0);
+                findings.push({
+                    rule: rule.id,
+                    level: rule.level,
+                    message: rule.message,
+                    line: match.line,
+                    snippet
+                });
+            }
+        }
+        const hasHighRisk = findings.some((f)=>'high' === f.level);
+        return {
+            passed: !hasHighRisk,
+            findings
+        };
+    }
+    /**
+   * Scan a file for malicious patterns.
+   * Convenience wrapper that reads the file then calls scan().
+   */ scanFile(filePath) {
+        const content = external_node_fs_.readFileSync(filePath, 'utf-8');
+        return this.scan(content);
+    }
+}
 /**
  * publish command - Publish a skill to the registry
  *
@@ -8175,6 +8710,25 @@ class SkillValidator {
     logger_logger.newline();
     logger_logger.log('No changes made (--dry-run)');
 }
+/**
+ * Display content scan findings
+ */ function displayScanFindings(scanResult) {
+    if (0 === scanResult.findings.length) {
+        logger_logger.log('  ✓ Content security scan passed');
+        return;
+    }
+    logger_logger.newline();
+    logger_logger.log('⚠ Content Security Scan:');
+    logger_logger.newline();
+    for (const finding of scanResult.findings){
+        const levelTag = finding.level.toUpperCase().padEnd(6);
+        const lineInfo = finding.line ? ` (line ${finding.line})` : '';
+        logger_logger.log(`  ${levelTag}  ${finding.rule}${lineInfo}`);
+        logger_logger.log(`          ${finding.message}`);
+        if (finding.snippet) logger_logger.log(`          > ${finding.snippet}`);
+        logger_logger.newline();
+    }
+}
 // ============================================================================
 // Main Action
 // ============================================================================
@@ -8217,6 +8771,18 @@ async function publishAction(skillPath, options) {
         }
         // 3. Validate
         const validation = validator.validate(absolutePath);
+        // 3.5. Content security scan
+        const skillMdPath = __WEBPACK_EXTERNAL_MODULE_node_path__.join(absolutePath, 'SKILL.md');
+        if (external_node_fs_.existsSync(skillMdPath)) {
+            const scanner = new ContentScanner();
+            const scanResult = scanner.scanFile(skillMdPath);
+            displayScanFindings(scanResult);
+            if (!scanResult.passed) {
+                logger_logger.newline();
+                logger_logger.error('Content security scan failed. Fix the issues above before publishing.');
+                process.exit(1);
+            }
+        }
         // 4. Get git info
         let gitInfo;
         try {